Website Policies

API Access & Usage Policy

Updated: 1st September 2025

This API Access & Usage Policy (the “Policy”) governs use of Fanvue’s application programming interfaces (the “API”). It applies to all requests made with an API Key issued by Fanvue.

This Policy supplements the General Terms & Conditions and other applicable Fanvue Policies. If there is any conflict between this Policy and the General Terms, the terms of this Policy shall prevail for the specific subject matter it governs.

All defined terms used herein shall have the meaning assigned in the General Terms & Conditions, unless otherwise stated.

DEFINITIONS

API Key” means a unique credential issued by Fanvue, used to authenticate API requests. It must be sent in the X-Fanvue-API-Key header.

Scopes” means the fixed permissions associated with an API Key, which determine which endpoints and operations the key may access. Scopes are set when the key is issued and cannot be modified afterwards.

API Version” means the required version identifier for the API, sent in the X-Fanvue-API-Version header. The value must follow the format YYYY-MM-DD (e.g. 2025-06-26).

Rate Limit” means the maximum number of requests permitted per key within a defined window.

Supported Version” means an API Version that Fanvue currently supports. Fanvue may deprecate or sunset versions.

1. ACCESS & AUTHORISATION

1.1 Authentication

  1. All secured endpoints require the header X-Fanvue-API-Key.
  2. Keys are validated for format, hashed, and matched against Fanvue records. Revoked keys are rejected.
  3. On successful authentication, the request context is associated with the issuing user and the key’s scopes.

1.2 Authorisation

  1. Endpoints declare required Scopes. Access is granted only if the API Key’s Scopes include the required set.
  2. Requests without valid credentials or sufficient permissions will return a 401 Unauthorized or 403 Forbidden response status code, as appropriate.

1.3 API Versioning

  1. The header X-Fanvue-API-Version is required on requests in the format YYYY-MM-DD.
  2. Fanvue may reject unsupported or sunset versions and require an upgrade to a Supported Version.
  3. Version lifecycle follows: Active → Deprecated → Sunset.
  4. Deprecation is communicated via RFC 8594 standard headers:
    1. Deprecation: Indicates when the version was deprecated.
    2. Sunset: Specifies when the version will stop working.
    3. X-Fanvue-API-Next-Version: Recommends the migration path.

2. API KEY MANAGEMENT

  1. API Keys are issued to a specific Fanvue user account and are non-transferable. Only one active API key per user is permitted at any time.
  2. Keys can be obtained and managed at https://www.fanvue.com/api-keys.
  3. Keys are stored hashed and cannot be retrieved after creation. Keys can be revoked at any time, with revocation taking immediate effect.
  4. Scopes are fixed when the key is issued and cannot be modified after creation.
  5. Fanvue may record API usage metadata (e.g. key identifier, method, path, timestamps) for security, audit, and operational purposes in accordance with our Privacy Policy.

3. TECHNICAL REQUIREMENTS

  1. Required headers on secured endpoints:
    1. X-Fanvue-API-Key: a valid, unrevoked key.
    2. X-Fanvue-API-Version: the requested API Version (e.g. 2025-06-26).
  2. Requests must be made over HTTPS. Plain HTTP is not permitted.
  3. Clients must handle error responses appropriately:
    1. 400 Bad Request: Invalid request (e.g., unsupported API version, malformed parameters). Check the error message and API documentation for details.
    2. 401 Unauthorised: Missing or invalid authentication.
    3. 403 Forbidden: Insufficient permissions for the requested endpoint.
    4. 410 Gone: API version permanently removed (includes nextVersion field).
    5. 429 Too Many Requests: Rate limit exceeded (includes Retry-After header).

4. PERMITTED USE

  1. Subject to Scope, the API enables the following operations:
    1. Users: Reading current user details.
    2. Chats: Listing chats, creating new chats, sending messages, retrieving chat messages.
    3. Creators: Reading followers and subscribers.
    4. Insights: Reading earnings data, top-spending fans, and subscriber counts.
    5. Agencies: Managing creators, creator-specific chat operations, and creator analytics.
  2. Pagination and filtering may apply as documented for each endpoint.
  3. API access is controlled and may be limited to whitelisted or approved users during rollout.

5. PROHIBITED USE

  1. Calling secured endpoints without a valid API Key or with an invalid format.
  2. Accessing endpoints without the necessary Scopes.
  3. Exceeding Rate Limits or failing to respect Retry-After guidance.
  4. Attempting to subvert authentication, authorisation, versioning controls, or rate limiting.
  5. Misusing or sharing API Keys. Keys must be kept confidential and secure.
  6. Any use contrary to the Acceptable Use Policy or this Policy.

6. RATE LIMITS & FAIR USAGE

  1. Default limit: 100 requests per 60 seconds per API Key (subject to change or per-route overrides). The request bucket refills completely every 60 seconds.
  2. Responses include standard rate limit headers when applicable:
HeaderMeaning
X-RateLimit-LimitTotal request capacity for the current window
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix time (seconds) when the window resets
  1. When limits are exceeded, the API returns 429 Too Many Requests status code and may include:
    1. Retry-After header: seconds until another request may be attempted.
  2. Implement exponential backoff and honour Retry-After header to avoid throttling.
  3. Fanvue may tune limits per route or client and may enforce stricter limits for stability.

7. DATA & PRIVACY

  1. API responses are scoped to the authenticated user and permitted Scopes.
  2. Fanvue processes and stores API-related data in accordance with our Privacy Policy.
  3. The API currently provides read-only access. No write operations are available unless explicitly documented.

8. INTELLECTUAL PROPERTY

  1. The API, its specification, and related documentation are owned by or licensed to Fanvue.
  2. This Policy does not grant any IP rights beyond those necessary to consume the API as permitted by your Scopes and the General Terms & Conditions.

9. RESALE & REUSE

  1. Reselling, sublicensing, or redistributing API access, data, or responses to third parties is not permitted unless expressly authorised by Fanvue.
  2. Additional restrictions may apply under the Acceptable Use Policy and other Platform terms.

10. SECURITY REQUIREMENTS

  1. Always use HTTPS and secure, up-to-date TLS configurations.
  2. Store API Keys securely:
    1. Use environment variables or secure secrets management systems.
    2. Never hardcode keys in source code.
    3. Do not embed keys in client-side code or expose them publicly.
    4. Do not commit API keys to publicly accessible version control repositories (e.g., GitHub).
  3. Rotate Keys periodically and immediately if compromise is suspected.
  4. Monitor API usage for unexpected activity.
  5. Handle error responses gracefully and remediate underlying causes before retrying.
  6. Do not attempt to bypass security controls or versioning requirements.

11. TERMINATION, SUSPENSION & VERSIONING

  1. Fanvue may suspend or revoke API access at any time for policy breaches, abuse, risk, or operational reasons.
  2. Keys may be revoked individually by Fanvue or at your request; revocation takes immediate effect.
  3. Fanvue may deprecate or sunset API Versions. Clients must upgrade to Supported Versions within timelines communicated by Fanvue.
  4. Fanvue may apply throttling or other protective measures to preserve Platform integrity.

Need Help?

If you have questions about any of our policies or need assistance:

Fanvue reserves the right to amend this Policy from time to time. The latest version will always be accessible at legal.fanvue.com, and significant changes will be communicated where required.